- Issue created by @larowlan
- Merge request !11138Ensure that labels used in config translation are escaped β (Open) created by akalata
- πΊπΈUnited States greggles Denver, Colorado, USA
The title is SSRF (server side request forgery) which I understand to mean a request from the server to other machines on the server's network as described in portswigger and owasp.
The description includes:
The vulnerability allows one Drupal user with administrative permissions to create a page which can force another Drupal user to make a call to a server under the control of an attacker.
and
The browser will make a call to the malicious server
That is not a server-side request.
I can see how this would let an admin gain data about the site visitors, which is not ideal, but on most sites an admin who can enter translations can probably already make other changes to a site that would also gain information about a visitor.
I'm surprised if this is the only place where a user with only the ability to translate could insert an image. I think other strings are similarly not filtered.
- πΊπΈUnited States smustgrave
Seems the test-only failure is passing when would expect to fail so think that needs tweaking https://git.drupalcode.org/issue/drupal-3440399/-/jobs/4273224